Smucker's breached, possible ties to other high-profile attacks

Share this article:
Customers were notified that their personal information may have been compromised.
Customers were notified that their personal information may have been compromised.

The J.M. Smucker Company, an Ohio-based producer of fruit spreads and beverages, has shut down its Online Store following a data breach affecting its customers' personal financial information.

According to a letter sent to individuals whose data may have been compromised, the company was “made aware” of the breach on February 12, 2014, and affects anyone who made a purchase on its Online Store between December 2012 and January 2014.

The data obtained by miscreants may have included customer names, addresses, email addresses, phone numbers, credit and debit card numbers, as well as expiration dates and verification codes.

“We are extremely disappointed this incident occurred and sincerely apologize for any inconvenience this may cause,” Richard Smucker, CEO of the J.M. Smucker Company, wrote in a statement posted on the Online Store website. “We continue to thoroughly investigate this matter with federal authorities.”

The company is offering two years of free credit protection monitoring for anyone affected by the breach.

In an FAQ addressing the incident, the company alludes to malware that may have swiped the personal information belonging to individuals during their checkout process. This would indicate that the malware utilized in the attack has similar attributes to that of the Zeus trojan, which uses form grabbing – intercepting data submitted into a form field before it's submitted to a website – in order to capture sensitive information.

According to security journalist Brian Krebs, the Smucker's breach is tied to a cyber criminal collective that performed attacks on software giant Adobe, data brokers LexisNexis and Dun & Bradstreet, risk consulting firm Kroll, the National White Collar Crime Center, and credit card processor SecurePay, which all resulted in data breaches.

While some of the previously mentioned breaches were a result of running vulnerable versions of Adobe's web application platform, ColdFusion, Krebs was able to find a reference to Smucker's on a control panel for a ColdFusion botnet that attackers leveraged in 2013 and into this year.

Based on reports of the attack taking place due to a vulnerability on the company's web server, John Pirc, chief technology officer at NSS Labs, believes that they should be held accountable. While end-users should always take precaution and use anti-virus protection, he says it isn't reliable to place responsibilities regarding security on them.

"With the proper procedures, code audits during the system development life cycle, post-production security audits and patches, this 'likely' could have been prevented," Pirc said in an email to SCMagazine.com.

Not surprised by the breach, given the recent incidents involving Target and most recently Sally Beauty, Pirc expects this scenario to play out again and again throughout the year.

"The trend in breaches for 2014 will be like the movie "Groundhog Day" – we will be reliving the same scenario day after day," he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.